I have 50 domains attached to my hosts list, per Spybot

Microsoft Microsoft windows group policy...
March 7, 2013 at 22:37:59
Specs: Windows 7 7600 build, 2.5 gig
Can anyone make heads/tails out of this?

I aplogise..I can seem to add a screen shot. I hit the blue 'Begin Process' and it goes through 30 names/sites...and hangs. The message below was to be supported by a screenshot

Ive been hacked for 6 months...3 machines, 2 OS-es. I dunno..maybe I got on the practice list for the Chinese hacking team. I have MUI's loaded...that reload..for China and Taiwan...

But unless I solve this...I am TOAST. Not like I have $50,000in some IRA to tap...

Thanks


See More: I have 50 domains attached to my hosts list, per Spybot

Report •


#1
March 7, 2013 at 23:36:36
Re my post #1.
http://www.computing.net/answers/se...
http://www.computing.net/answers/se...
I am still waiting on the ListParts details.

Report •

#2
March 9, 2013 at 14:14:33
They are in the original thread, John. Both of them..I wrote notes above so that's why you may have missed them -this is in the SxS area. Given that..here is the scan you asked me to run..the ESET ONLINE. Thank you
----------------------------------------------------------------------------

C:\Program Files\NirSoft Utilities\awatch.exe a variant of Win32/AdapterWatch.A application cleaned by deleting - quarantined

C:\Program Files\NirSoft Utilities\BulletsPassView.exe a variant of Win32/PSWTool.BulletsPassView.C application cleaned by deleting - quarantined

C:\Program Files\NirSoft Utilities\ProduKey.exe a variant of Win32/PSWTool.ProductKey application cleaned by deleting - quarantined

C:\Program Files\NirSoft Utilities\RouterPassView.exe a variant of Win32/PSWTool.RouterPassView.B application cleaned by deleting - quarantined

C:\Program Files\NirSoft Utilities\SkypeLogView.exe a variant of Win32/SkypeLogView.A application cleaned by deleting - quarantined

C:\Program Files\NirSoft Utilities\smsniff.exe a variant of Win32/Sniffer.SniffPass.B application cleaned by deleting - quarantined

C:\Program Files\NirSoft Utilities\strun.exe Win32/StartupRun.AB application cleaned by deleting - quarantined

C:\Program Files\NirSoft Utilities\WebBrowserPassView.exe a variant of Win32/PSWTool.WebBrowserPassView.B application cleaned by deleting - quarantined

C:\Users\Administrator.000\Downloads\7zip_installer_d793193.exe probably a variant of Win32/InstallIQ application cleaned by deleting - quarantined

C:\Users\Administrator.000\Downloads\awatch.zip a variant of Win32/AdapterWatch.A application deleted - quarantined

C:\Users\Administrator.000\Downloads\oi_fwinstallexe.exe a variant of Win32/OpenInstall application cleaned by deleting - quarantined

C:\Users\Administrator.000\Downloads\oi_spf5exe.exe a variant of Win32/OpenInstall application cleaned by deleting - quarantined

C:\Users\Administrator.000\Downloads\registry-cleaner-setup.exe a variant of Win32/Bundled.Toolbar.Ask application cleaned by deleting - quarantined

C:\Users\Administrator.000\Downloads\awatch\awatch.exe a variant of Win32/AdapterWatch.A application cleaned by deleting - quarantined

1.NIRSOFT ATTACHES MOST OF THE ENTIRE SYSINTERNAL SUITE IN THIS TOOL OF OVER 100
ANALYSIS PRODUCTS (WILL PUT ON A ZIP IN FUTURE)

2.THE OTHERS IN DOWNLOAD ..I DONT BELIEVE I'VE INSTALLED ANY OF THESE SHOWING


Report •

#3
March 9, 2013 at 14:41:20
" Given that..here is the scan you asked me to run..the ESET ONLINE"
Thanks MSshouldbesued.

"NIRSOFT"
That may be a false positive or a download from an illegal site.

"I DONT BELIEVE I'VE INSTALLED ANY OF THESE SHOWING"
Malware Prevention
http://www.malwarevault.com/prevent...
"There is no magic involved. The majority of malware is installed by the user themselves"

I will be focusing on making sure you are malware free first, there may be side issues as we proceed, that is normal.
I shall give you further instruction soon.

As we dismantle the infection bit by bit, that may allow the repeat use of programs, which may in turn pick up more.
Removal of infected parts of the system, may cause other parts to stop working, such as your Internet connection or Services. These we then, have to repair later.

If any program won't run ( due to the infection ) let me know.

Copy & Paste the contents of the log/logs after running each program.


Report •

Related Solutions

#4
March 9, 2013 at 14:50:25
Run Hitman Pro, then Copy & Paste the contents of the log please.
http://www.softpedia.com/get/Intern...
http://www.softpedia.com/progScreen...
http://www.surfright.nl/en/HitmanPro
http://www.surfright.nl/en/hitmanpro/
Unlimited free scanning and free 30-day version to remove detected malware.
Download now (32-bit)
http://dl.surfright.nl/HitmanPro35.exe
Download now (64-bit)
http://dl.surfright.nl/HitmanPro35_...
Review
http://www.youtube.com/watch?v=WmPQ...

Run RogueKiller
http://www.softpedia.com/get/Securi...
http://www.softpedia.com/progScreen...
http://majorgeeks.com/RogueKiller_d...
http://www.geekstogo.com/forum/file...
http://www.sur-la-toile.com/RogueKi...
http://www.sur-la-toile.com/RogueKi...
Download & SAVE to your Desktop.
Quit all programs that you may have started.
Please disconnect any USB or external drives from the computer before you run this scan!
For Vista or Windows 7, right-click and select "Run as Administrator to start"
For Windows XP, double-click to start.
Wait until Prescan has finished ...
Then Click on "Scan" button
Wait until the Status box shows "Scan Finished"
click on "delete"
Wait until the Status box shows "Deleting Finished"
Click on "Report" and copy/paste the content of the Notepad into your next reply.
The log should be found in RKreport[1].txt on your Desktop
Exit/Close RogueKiller.


Report •

#5
March 9, 2013 at 15:56:53
Yes, I doubt they are using any Sysinternals stuff...but I just saw in here...
IE 9 REMOTE VERSION. I had to snag IE off of (wince) that site ..Brothersoft or the other big one who Ive learned packages junk with the products. I couldn't get it from MS..the IE browser wouldn't work. I BELIEVE..i know.... THERE IS INFORMATION IN HERE THAT IS WORTHWHILE TO YOU. I saw IE 9 as described..and what you pointed out as an issue. Thanks so much
--------------------------------------------------------
OTL Extras logfile created on: 3/9/2013 3:39:44 AM - Run 2
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\Administrator.000\Downloads
Home Premium Edition (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.49 Gb Total Physical Memory | 1.32 Gb Available Physical Memory | 53.18% Memory free
6.23 Gb Paging File | 4.76 Gb Available in Paging File | 76.52% Paging File free
Paging file location(s): c:\pagefile.sys 3825 3825 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 55.79 Gb Total Space | 27.79 Gb Free Space | 49.80% Space Free | Partition Type: NTFS
Drive D: | 574.94 Mb Total Space | 183.73 Mb Free Space | 31.96% Space Free | Partition Type: UDF
Drive E: | 100.00 Mb Total Space | 30.54 Mb Free Space | 30.54% Space Free | Partition Type: NTFS
Drive F: | 0.56 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: WIN7-PC | User Name: Administrator | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 360 Days

[color=#E56717]========== Extra Registry (All) ==========[/color]


[color=#E56717]========== File Associations ==========[/color]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.bat [@ = batfile] -- "%1" %*
.chm [@ = chm.file] -- C:\Windows\hh.exe (Microsoft Corporation)
.cmd [@ = cmdfile] -- "%1" %*
.com [@ = comfile] -- "%1" %*
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.exe [@ = exefile] -- "%1" %*
.hlp [@ = hlpfile] -- C:\Windows\WinHlp32.exe (Microsoft Corporation)
.hta [@ = htafile] -- C:\Windows\System32\mshta.exe (Microsoft Corporation)
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation)
.inf [@ = inffile] -- C:\Windows\System32\NOTEPAD.EXE (Microsoft Corporation)
.ini [@ = inifile] -- C:\Windows\System32\NOTEPAD.EXE (Microsoft Corporation)
.url [@ = InternetShortcut] -- rundll32.exe ieframe.dll,OpenURL %l
.js [@ = JSFile] -- C:\Windows\System32\WScript.exe (Microsoft Corporation)
.jse [@ = JSEFile] -- C:\Windows\System32\WScript.exe (Microsoft Corporation)
.pif [@ = piffile] -- "%1" %*
.reg [@ = regfile] -- C:\Windows\regedit.exe (Microsoft Corporation)
.scr [@ = scrfile] -- "%1" /S
.txt [@ = txtfile] -- C:\Windows\System32\NOTEPAD.EXE (Microsoft Corporation)
.vbe [@ = VBEFile] -- C:\Windows\System32\WScript.exe (Microsoft Corporation)
.vbs [@ = VBSFile] -- C:\Windows\System32\WScript.exe (Microsoft Corporation)
.wsf [@ = WSFFile] -- C:\Windows\System32\WScript.exe (Microsoft Corporation)
.wsh [@ = WSHFile] -- C:\Windows\System32\WScript.exe (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-3769438369-2632674587-593466790-500\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

[color=#E56717]========== Shell Spawning ==========[/color]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [edit] -- %SystemRoot%\System32\NOTEPAD.EXE %1 (Microsoft Corporation)
batfile [open] -- "%1" %*
batfile [print] -- %SystemRoot%\System32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
chm.file [open] -- "C:\Windows\hh.exe" %1 (Microsoft Corporation)
cmdfile [edit] -- %SystemRoot%\System32\NOTEPAD.EXE %1 (Microsoft Corporation)
cmdfile [open] -- "%1" %*
cmdfile [print] -- %SystemRoot%\System32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\WinHlp32.exe %1 (Microsoft Corporation)
htafile [open] -- C:\Windows\System32\mshta.exe "%1" %* (Microsoft Corporation)
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office14\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
htmlfile [print] -- rundll32.exe %SystemRoot%\system32\mshtml.dll,PrintHTML "%1" (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
https [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
inffile [open] -- %SystemRoot%\system32\NOTEPAD.EXE %1 (Microsoft Corporation)
inffile [print] -- %SystemRoot%\system32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
inifile [open] -- %SystemRoot%\System32\NOTEPAD.EXE %1 (Microsoft Corporation)
inifile [print] -- %SystemRoot%\system32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
InternetShortcut [open] -- rundll32.exe ieframe.dll,OpenURL %l
InternetShortcut [print] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)
jsfile [edit] -- C:\Windows\System32\Notepad.exe %1 (Microsoft Corporation)
jsfile [open] -- %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
jsfile [print] -- C:\Windows\System32\Notepad.exe /p %1 (Microsoft Corporation)
jsefile [edit] -- C:\Windows\System32\Notepad.exe %1 (Microsoft Corporation)
jsefile [open] -- C:\Windows\System32\WScript.exe "%1" %* (Microsoft Corporation)
jsefile [print] -- C:\Windows\System32\Notepad.exe /p %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [edit] -- %SystemRoot%\system32\notepad.exe "%1" (Microsoft Corporation)
regfile [open] -- regedit.exe "%1" (Microsoft Corporation)
regfile [merge] -- Reg Error: Key error.
regfile [print] -- %SystemRoot%\system32\notepad.exe /p "%1" (Microsoft Corporation)
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
txtfile [open] -- %SystemRoot%\System32\NOTEPAD.EXE %1 (Microsoft Corporation)
txtfile [print] -- %SystemRoot%\system32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
txtfile [printto] -- %SystemRoot%\system32\notepad.exe /pt "%1" "%2" "%3" "%4" (Microsoft Corporation)
vbefile [edit] -- "%SystemRoot%\System32\Notepad.exe" %1 (Microsoft Corporation)
vbefile [open] -- %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
vbefile [print] -- "%SystemRoot%\System32\Notepad.exe" /p %1 (Microsoft Corporation)
vbsfile [edit] -- "%SystemRoot%\System32\Notepad.exe" %1 (Microsoft Corporation)
vbsfile [open] -- %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
vbsfile [print] -- "%SystemRoot%\System32\Notepad.exe" /p %1 (Microsoft Corporation)
wsffile [edit] -- "%SystemRoot%\System32\Notepad.exe" %1 (Microsoft Corporation)
wsffile [open] -- "%SystemRoot%\System32\WScript.exe" "%1" %* (Microsoft Corporation)
wsffile [print] -- "%SystemRoot%\System32\Notepad.exe" /p %1 (Microsoft Corporation)
wshfile [open] -- "%SystemRoot%\System32\WScript.exe" "%1" %* (Microsoft Corporation)
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [runas] -- cmd.exe /c takeown /f "%1" /r /d y && icacls "%1" /grant *S-1-5-32-544:F /t (Microsoft Corporation)
Directory [zTakeOwnership] -- cmd.exe /c takeown /f "%1" /r /d y && icacls "%1" /grant administrators:F /t (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "%programfiles%\internet explorer\iexplore.exe" (Microsoft Corporation)

[color=#E56717]========== Security Center Settings ==========[/color]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
"FirewallDisableNotify" = 0
"AntiVirusDisableNotify" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

[color=#E56717]========== System Restore Settings ==========[/color]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[color=#E56717]========== Firewall Settings ==========[/color]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0
"DoNotAllowExceptions" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0
"DoNotAllowExceptions" = 1

[color=#E56717]========== Authorized Applications List ==========[/color]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe" = C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe:*:Enabled:Spybot-S&D 2 Tray Icon -- (Safer-Networking Ltd.)
"C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe" = C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe:*:Enabled:Spybot-S&D 2 Scanner Service -- (Safer-Networking Ltd.)
"C:\Program Files\Spybot - Search & Destroy 2\SDUpdate.exe" = C:\Program Files\Spybot - Search & Destroy 2\SDUpdate.exe:*:Enabled:Spybot-S&D 2 Updater -- (Safer-Networking Ltd.)
"C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe" = C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe:*:Enabled:Spybot-S&D 2 Background update service -- (Safer-Networking Ltd.)


[color=#E56717]========== Vista Active Open Ports Exception List ==========[/color]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]

[color=#E56717]========== Vista Active Application Exception List ==========[/color]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{9E5600C7-9C7F-48D6-B667-B0C6803BD628}" = protocol=17 | dir=in | app=c:\program files\pandasecuritytb\dtuser.exe |
"{9E60305D-57DD-47C1-A9DC-D4EB2FC0242B}" = protocol=6 | dir=in | app=c:\program files\pandasecuritytb\dtuser.exe |
"UDP Query User{6FCE7BB4-E43E-4D6E-979E-6C3B271CB206}C:\windows\system32\mmc.exe" = protocol=17 | dir=in | app=c:\windows\system32\mmc.exe |

[color=#E56717]========== HKEY_LOCAL_MACHINE Uninstall List ==========[/color]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{100C8F3B-82D6-4B14-BB7A-5E8C3FF810C8}_is1" = Driver Fusion
"{196467F1-C11F-4F76-858B-5812ADC83B94}" = MSXML 4.0 SP3 Parser
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{885843E7-6CAC-4791-B7BF-1CD516017954}_is1" = DLL Suite 2013
"{8D8024F1-2945-49A5-9B78-5AB7B11D7942}_is1" = Auslogics Registry Cleaner
"{8DD62FB6-083D-40B9-9D7D-48449FDDDED5}" = Microsoft Windows Debugging Symbols
"{90140000-0011-0000-0000-0000000FF1CE}" = Microsoft Office Professional Plus 2010
"{90140000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2010
"{90140000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2010
"{90140000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2010
"{90140000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2010
"{90140000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2010
"{90140000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2010
"{90140000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2010
"{90140000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2010
"{90140000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2010
"{90140000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2010
"{90140000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2010
"{90140000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2010
"{90140000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2010
"{90140000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2010
"{90140000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2010
"{90140000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2010
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{a9264802-8a7a-40fe-a135-5c6d204aed7a}.sdb" = Internet Explorer (Enable DEP)
"{B4092C6D-E886-4CB2-BA68-FE5A99D31DE7}_is1" = Spybot - Search & Destroy
"{E864A1C8-EEE1-47D0-A7F8-00CC86D26D5E}_is1" = Wise Care 365 version 2.21
"{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}" = Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
"{F5346614-B7C4-4E94-826A-E2363155233D}" = EasyCleaner
"{F7B05784-334C-4F76-8BAB-30ABEB7FD534}" = TIPCI
"Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin
"Advanced SystemCare 4_is1" = Advanced SystemCare 4
"avast" = avast! Free Antivirus
"Belarc Advisor" = Belarc Advisor 8.3
"CCleaner" = CCleaner
"DigiCert Discovery" = DigiCert Discovery
"ESET Online Scanner" = ESET Online Scanner v3
"FreeFixer1.01" = FreeFixer
"HDMI" = Intel(R) Graphics Media Accelerator Driver
"Look 'n' Stop 2.07" = Look 'n' Stop 2.07
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Mozilla Firefox 19.0.2 (x86 en-US)" = Mozilla Firefox 19.0.2 (x86 en-US)
"MozillaMaintenanceService" = Mozilla Maintenance Service
"NirSoft ServiWin" = NirSoft ServiWin
"Office14.PROPLUS" = Microsoft Office Professional Plus 2010
"pandasecuritytb" = Panda Security Toolbar
"Registry Smoker_is1" = Registry Smoker 1.5
"Revo Uninstaller" = Revo Uninstaller 1.94
"Sandboxie" = Sandboxie 3.76 (32-bit)
"Tweaking.com - Advanced System Tweaker" = Tweaking.com - Advanced System Tweaker
"Tweaking.com - Simple System Tweaker" = Tweaking.com - Simple System Tweaker
"Tweaking.com - Windows Repair (All in One)" = Tweaking.com - Windows Repair (All in One)
"WSCC_is1" = WSCC 2.1.0.0

[color=#E56717]========== Last 20 Event Log Errors ==========[/color]

[ Application Events ]
Error - 3/6/2013 5:26:32 AM | Computer Name = win7-PC | Source = Application Hang | ID = 1002
Description = The program SDFiles.exe version 2.0.12.135 stopped interacting with
Windows and was closed. To see if more information about the problem is available,
check the problem history in the Action Center control panel. Process ID: 784 Start
Time: 01ce1a43f7c9626c Termination Time: 78 Application Path: C:\Program Files\Spybot
- Search & Destroy 2\SDFiles.exe Report Id: d4d206f8-863f-11e2-9491-df201f432d3f


Error - 3/6/2013 9:15:56 AM | Computer Name = win7-PC | Source = Application Error | ID = 1000
Description = Faulting application name: iexplore.exe, version: 9.0.8112.16457,
time stamp: 0x50a2f9e3 Faulting module name: aswWebRepIE.dll_unloaded, version: 0.0.0.0,
time stamp: 0x512f1633 Exception code: 0xc0000005 Fault offset: 0x67703769 Faulting
process id: 0xeb0 Faulting application start time: 0x01ce1a6ca8c5941f Faulting application
path: C:\Program Files\Internet Explorer\iexplore.exe Faulting module path: aswWebRepIE.dll
Report
Id: fa57d506-865f-11e2-acca-e977d4ddda27

Error - 3/6/2013 9:16:04 AM | Computer Name = win7-PC | Source = Application Error | ID = 1000
Description = Faulting application name: iexplore.exe, version: 9.0.8112.16457,
time stamp: 0x50a2f9e3 Faulting module name: aswWebRepIE.dll_unloaded, version: 0.0.0.0,
time stamp: 0x512f1633 Exception code: 0xc0000005 Fault offset: 0x677760e8 Faulting
process id: 0xeb0 Faulting application start time: 0x01ce1a6ca8c5941f Faulting application
path: C:\Program Files\Internet Explorer\iexplore.exe Faulting module path: aswWebRepIE.dll
Report
Id: feee78d5-865f-11e2-acca-e977d4ddda27

Error - 3/6/2013 9:16:05 AM | Computer Name = win7-PC | Source = Application Error | ID = 1000
Description = Faulting application name: iexplore.exe, version: 9.0.8112.16457,
time stamp: 0x50a2f9e3 Faulting module name: aswWebRepIE.dll_unloaded, version: 0.0.0.0,
time stamp: 0x512f1633 Exception code: 0xc0000005 Fault offset: 0x67703769 Faulting
process id: 0xeb0 Faulting application start time: 0x01ce1a6ca8c5941f Faulting application
path: C:\Program Files\Internet Explorer\iexplore.exe Faulting module path: aswWebRepIE.dll
Report
Id: fffcfbde-865f-11e2-acca-e977d4ddda27

Error - 3/6/2013 10:11:22 PM | Computer Name = win7-PC | Source = Application Hang | ID = 1002
Description = The program firefox.exe version 19.0.0.4794 stopped interacting with
Windows and was closed. To see if more information about the problem is available,
check the problem history in the Action Center control panel. Process ID: e2c Start
Time: 01ce1ac9fa1724b6 Termination Time: 570 Application Path: C:\Program Files\Mozilla
Firefox\firefox.exe Report Id: 2b67ac34-86cc-11e2-acca-e977d4ddda27

Error - 3/7/2013 4:12:57 PM | Computer Name = win7-PC | Source = VSS | ID = 8194
Description = Volume Shadow Copy Service error: Unexpected error querying for the
IVssWriterCallback interface. hr = 0x80070005, Access is denied. . This is often
caused by incorrect security settings in either the writer or requestor process.


Operation:

Gathering Writer Data Context: Writer Class Id: {e8132975-6f93-4464-a53e-1050253ae220}

Writer Name: System Writer Writer Instance ID: {0c3a97a7-3223-47b5-aede-ef842c10ffcd}

Error - 3/7/2013 4:41:23 PM | Computer Name = win7-PC | Source = MSDTC | ID = 4358
Description =

Error - 3/7/2013 4:41:23 PM | Computer Name = win7-PC | Source = MSDTC Client | ID = 4356
Description =

Error - 3/8/2013 11:31:03 PM | Computer Name = win7-PC | Source = Application Error | ID = 1000
Description = Faulting application name: OIS.EXE, version: 14.0.4730.1010, time
stamp: 0x4b498ef1 Faulting module name: KERNELBASE.dll, version: 6.1.7600.17107,
time stamp: 0x502f7944 Exception code: 0xe06d7363 Fault offset: 0x000096c3 Faulting
process id: 0xa64 Faulting application start time: 0x01ce1c76861bd302 Faulting application
path: C:\PROGRA~1\MICROS~2\Office14\OIS.EXE Faulting module path: C:\Windows\system32\KERNELBASE.dll
Report
Id: c4cbd3e0-8869-11e2-8523-fc2c660c5638

Error - 3/9/2013 4:32:39 AM | Computer Name = win7-PC | Source = VSS | ID = 8194
Description = Volume Shadow Copy Service error: Unexpected error querying for the
IVssWriterCallback interface. hr = 0x80070005, Access is denied. . This is often
caused by incorrect security settings in either the writer or requestor process.


Operation:

Gathering Writer Data Context: Writer Class Id: {e8132975-6f93-4464-a53e-1050253ae220}

Writer Name: System Writer Writer Instance ID: {682af30c-c049-4b08-94b1-7c771fe27c2a}

[ Media Center Events ]
Error - 11/27/2012 3:25:35 AM | Computer Name = win7-PC | Source = MCUpdate | ID = 0
Description = 1:25:35 AM - Error connecting to the internet. 1:25:35 AM - Unable
to contact server..

Error - 11/27/2012 11:05:29 AM | Computer Name = win7-PC | Source = MCUpdate | ID = 0
Description = 9:05:29 AM - Error connecting to the internet. 9:05:29 AM - Unable
to contact server..

Error - 2/13/2013 4:24:51 PM | Computer Name = win7-PC | Source = MCUpdate | ID = 0
Description = 2:24:50 PM - Error connecting to the internet. 2:24:51 PM - Unable
to contact server..

Error - 3/1/2013 4:15:43 PM | Computer Name = win7-PC | Source = MCUpdate | ID = 0
Description = 2:15:42 PM - Error connecting to the internet. 2:15:42 PM - Unable
to contact server..

Error - 3/1/2013 4:15:53 PM | Computer Name = win7-PC | Source = MCUpdate | ID = 0
Description = 2:15:53 PM - Error connecting to the internet. 2:15:53 PM - Unable
to contact server..

Error - 3/1/2013 4:17:30 PM | Computer Name = win7-PC | Source = MCUpdate | ID = 0
Description = 2:17:30 PM - Error connecting to the internet. 2:17:30 PM - Unable
to contact server..

[ System Events ]
Error - 3/8/2013 4:03:13 AM | Computer Name = win7-PC | Source = APPHOSTSVC | ID = 9000
Description = The Application Host Helper Service encountered an error while reading
the data for SID mapping. Please ensure that the application pool name data is
correct in the configuration file. To resolve this issue, please recommit the
changes or restart this service. The data field contains the error number.

Error - 3/8/2013 4:03:19 AM | Computer Name = win7-PC | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
crcdisk OADevice

Error - 3/8/2013 4:11:06 AM | Computer Name = win7-PC | Source = APPHOSTSVC | ID = 9000
Description = The Application Host Helper Service encountered an error while reading
the data for SID mapping. Please ensure that the application pool name data is
correct in the configuration file. To resolve this issue, please recommit the
changes or restart this service. The data field contains the error number.

Error - 3/8/2013 4:11:13 AM | Computer Name = win7-PC | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
crcdisk OADevice

Error - 3/8/2013 6:30:52 AM | Computer Name = win7-PC | Source = APPHOSTSVC | ID = 9000
Description = The Application Host Helper Service encountered an error while reading
the data for SID mapping. Please ensure that the application pool name data is
correct in the configuration file. To resolve this issue, please recommit the
changes or restart this service. The data field contains the error number.

Error - 3/8/2013 6:30:54 AM | Computer Name = win7-PC | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
crcdisk OADevice

Error - 3/8/2013 11:54:26 AM | Computer Name = win7-PC | Source = Microsoft-Windows-HAL | ID = 12
Description = The platform firmware has corrupted memory across the previous system
power transition. Please check for updated firmware for your system.

Error - 3/8/2013 5:20:41 PM | Computer Name = win7-PC | Source = Service Control Manager | ID = 7011
Description = A timeout (30000 milliseconds) was reached while waiting for a transaction
response from the Netman service.

Error - 3/8/2013 7:42:59 PM | Computer Name = win7-PC | Source = APPHOSTSVC | ID = 9000
Description = The Application Host Helper Service encountered an error while reading
the data for SID mapping. Please ensure that the application pool name data is
correct in the configuration file. To resolve this issue, please recommit the
changes or restart this service. The data field contains the error number.

Error - 3/8/2013 7:43:06 PM | Computer Name = win7-PC | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
crcdisk OADevice


< End of report >


Report •

#6
March 9, 2013 at 16:05:16
John,,THE POST OF HITMAN IS ON THE SXS PAGE..
,I have NO idea whats going on w/ the site or on my end, but to post a log is taking me 45 minutes !
I keep getting kicked off as the post is trying to 'take' ...i see about 20 cookies load when the page loads . My end or yours???

Wow...I have no idea..have spybot in here...sandboxie...but apparently I need to find the open spot and it pastes as it should....this is Firefox BTW...It may be this HTTPS Everywhere plug in


Report •

#7
March 9, 2013 at 19:47:58
I cleaned up to the HOSTS area. Deleted as the button said. Drivers are in black..next...the instructions on screen aren't clear enough for me to proceed...but the HOSTS file is now clean. --I LOVE that RogueKiller-----
Looked up the drivers..they are from Avast..installed in machine. THANK YOU !
RogueKiller V8.5.2 [Mar 9 2013] by Tigzy
mail : tigzyRK
Feedback : http://www.geekstogo.com/forum/file...
Website : http://tigzy.geekstogo.com/roguekil...
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7600 ) 32 bits version
Started in : Normal mode
User : Administrator [Admin rights]
Mode : Remove -- Date : 03/09/2013 21:41:16
| ARK || FAK || MBR |

¤¤¤ Bad processes : 2 ¤¤¤
[Microsoft][HJNAME] notepad.exe -- C:\Windows\System32\notepad.exe [7] -> KILLED [TermProc]
[SUSP PATH] Tcpview.exe -- C:\Users\Administrator.000\Desktop\TCPView\Tcpview.exe [7] -> KILLED [TermProc]

¤¤¤ Registry Entries : 3 ¤¤¤
[RUN][Tst.HjT] HKCU\[...]\Run : HijackThis startup scan (C:\Users\Administrator.000\Downloads\HijackThis.exe /startupscan) [-] -> DELETED
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤
_INLINE_ : NtTraceEvent -> HOOKED (Unknown @ 0x80751C00)

¤¤¤ Infection : Tst.HjT ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts

127.0.0.1 localhost
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com
127.0.0.1 www.0scan.com
127.0.0.1 0scan.com
127.0.0.1 www.1000gratisproben.com
127.0.0.1 1000gratisproben.com
127.0.0.1 1001namen.com
127.0.0.1 www.1001namen.com
127.0.0.1 100888290cs.com
127.0.0.1 www.100888290cs.com
127.0.0.1 www.100sexlinks.com
[...]


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: Disk drive +++++
--- User ---
[MBR] e61ad200f3aa4540e5775a33b5d4ddc2
[BSP] b5a323188b24eedb45e970e8bda54dbb : Windows 7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 57129 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[2]_D_03092013_02d2141.txt >>
RKreport[1]_S_03092013_02d2138.txt ; RKreport[2]_D_03092013_02d2141.txt



Report •

Ask Question